from the console-yourselves dept

Nintendo: it protects what it believes it owns with great vigor. The company has rarely missed an opportunity to make sure that other people are not allowed to alter or mess with the stuff Nintendo insists is Nintendo's. In an apparent effort to maximize the irony combo-meter, Nintendo also has been known to make sure that customers don't mess with or alter the properties those customers actually own, such as online support for games that Nintendo decided to alter long after purchase... just because.

But the cold grip of Nintendo's control over its customers' property is apparently no longer limited to games. Nintendo recently released an update for the Wii U that forces you to "agree" to a new end-user license agreement, or else it simply bricks the console altogether.

This is how Nintendo's update to its end-user license agreement (EULA) for the Wii U works, as described by Youtube user "AMurder0fCrows" in this video. He didn't like the terms of Nintendo's updated EULA and refused to agree. He may have expected that, like users of the original Wii and other gaming consoles, he would have the option to refuse software or EULA updates and continue to use his device as he always had before. He might have to give up online access, or some new functionality, but that would be his choice. That’s a natural consumer expectation in the gaming context – but it didn’t apply this time. Instead, according to his video, the Wii U provides no option to decline the update, and blocks any attempt to access games or saved information by redirecting the user to the new EULA. The only way to regain the use of the device is to click "Agree."

It immediately brings to mind Sony's similiar move with their Playstation 3 product, in which the company unilaterally pushed out an update that would strip the console of serious functionality, including the ability to run other operating systems. It was something users had specifically wanted when they bought the console, and an update was pushed out to then take it away from them, but at least the update could be refused. There were consequences to refusing the update, but it didn't brick the console. Nintendo, in other words, is now officially worse than Sony when it comes to screwing with the console property of their customers.

As the EFF post notes, this represents the latest step in a very troubling trend for consumer rights. It's a practice no longer even limited to the digital world, with physical products now including different kinds of DRM or methods to break the product if any payment issues arise. This also only continues to happen as long as customers put up with it. Nintendo may end up learning that lesson the hard way.

from the get-busy-reading dept

We've discussed the stupidity of privacy policies many times in the past. Honestly, it's an idea that serves no useful purpose, yet most sites are required to have one, and if you don't, people get all upset. But no one reads them, and most people incorrectly assume that if a site has any privacy policy, they must keep data private.

The reality is that the incentives of a privacy policy are to not use it to keep your info private. In fact, the incentives are to make a privacy policy as permissive as possible. Because the only time you get in trouble is not if you fail to protect someone's privacy... but if you violate your own privacy policy. So companies have the incentive to write a privacy policy that is as permissive to the company as possible, so that they're less likely to avoid violating their own privacy policy. That is, conceptually, the best privacy policy for a company is one that says "we don't take your privacy seriously at all and share all your data," because then they'll never break that policy. Of course, companies don't go that far, because that's pretty extreme -- but it does lead to vague privacy policies that no one reads anyway. Oh, and even when people do read them, almost no one understands them.

In fact, a new report notes that if you actually bothered to read all the privacy policies you encounter on a daily basis, it would take you 250 working hours per year -- or about 30 workdays. The full study (pdf) by Aleecia M. McDonald and Lorrie Faith Cranor is quite interesting. They measure the length of privacy policies, ranging from just 144 words up to 7,669 words (median is around 2,500 words) and recognize that at a standard reading pace of 250 words per minute, most privacy policies take about eight to ten minutes to read. They also ran some tests to figure out how long it actually takes people to read and/or skim privacy policies.

They put all of this together and estimated that it would normally take a person about 244 hours per year to read every new privacy policy they encountered... and even 154 hours just to skim them. They used some variables to create a lower and upper bound estimate as well:

They then go further to try to estimate the cost to the economy of all this privacy policy reading, but I always finds such extrapolations to be pretty meaningless. They assume a constant return on time, so just like bogus studies about how much personal surfing "costs" the economy, those figures seem totally meaningless. But the amount of time estimates do seem completely valid.

And, here's the thing: that's only for privacy policies. Imagine if you read terms of service and end user license agreements too... Of course, sometimes those include little hidden gems. Like the time a company put a clause in its EULA that the first person to read that clause and contact them would get $1,000. It only took four months for someone to actually spot it.

from the plus-full-retail-price,-if-possible dept

Just when you thought no one would be able to top the various levels of DRM insanity plied by Ubisoft in its quixotic quest to end piracy as we know it, something else comes along that's bigger and badder than the nuisances that preceded it.

Electronic Arts' new game service, Origin, has hidden some rather disturbing language inside its EULA. Rock, Paper, Shotgun notes that in order to play Battlefield 3, or any other game that requires Origin to run, you're going to have to let EA root around inside your computer. Here's the gory details, straight from Origin's EULA:

2. Consent to Collection and Use of Data.You agree that EA may collect, use, store and transmit technical and related information that identifies your computer (including the Internet Protocol Address), operating system, Application usage (including but not limited to successful installation and/or removal), software, software usage and peripheral hardware, that may be gathered periodically to facilitate the provision of software updates, dynamically served content, product support and other services to you, including online services. EA may also use this information combined with personal information for marketing purposes and to improve our products and services. We may also share that data with our third party service providers in a form that does not personally identify you. IF YOU DO NOT WANT EA TO COLLECT, USE, STORE, TRANSMIT OR DISPLAY THE DATA DESCRIBED IN THIS SECTION, PLEASE DO NOT INSTALL OR USE THE APPLICATION. This and all other data provided to EA and/or collected by EA in connection with your installation and use of this Application is collected, used, stored and transmitted in accordance with EA's Privacy Policy located at www.ea.com. To the extent that anything in this section conflicts with the terms of EA's Privacy Policy, the terms of the Privacy Policy shall control.

Now, as RPS notes, some of this wording is not that unusual. Many software companies collect system data and several will even tell you that they plan on distributing this to third parties. This includes Steam, whose EULA states that it will:

... store information on a user's hard drive that is used in conjunction with online play of Valve products. This includes a unique authorization key or CD-Key that is either entered by the user or downloaded automatically during product registration. This authorization key is used to identify a user as valid and allow access to Valve's products. Information regarding Steam billing, your Steam account, your Internet connection and the Valve software installed on your computer are uploaded to the server in connection with your use of Steam and Valve software.

Valve's policy is self-restricted to anything on your PC directly relating to its own products. EA's is so broad that it gives the publisher permission to scan your entire hard drive, and report back absolutely anything you may have installed, and indeed when you may use it, and then pass that information on the third parties.

Now, this data collection may be used in a neutral fashion, heading directly back to EA for dissection and analysis. But there are two aspects that are particularly troublesome: A.) the wording in the EULA is very unspecific and B.) you have to "AGREE" to the terms in order to install your purchased software. In other words, before you can even start playing, EA wants to start digging.

It gets better:

And then even more creepily, they say they intend to take such information, combine it with personal information about you, and use it to advertise directly to you. However, when selling on this free-for-all on your computer's contents, they'll at least remove personally identifying information. Gosh, thanks.

Perhaps you're thinking to yourself: screw this online delivery system and its unseemly urge to dig into my hard drive and operating system. I'll just buy one off the shelf, thank you very much. Not. So. Fast.

It strikes us as beyond acceptable. And so much more serious now that EA has made its intentions clear to make so many of their games exclusively delivered through Origin. Were there a choice about what you'd use to play Battlefield 3, Mass Effect 3, etc, then gamers could opt out of allowing Origin on their systems while such a policy is in place. But instead it's a case of agree to such remarkable terms, or don't play their games at all.

So, it comes down to this: EA wants what's in your hard drive and any other info it can pick up from your usage habits. Sure, EA has probably always wanted this information but now it's deciding that you, the customer, will only play its games if you give up your information. Apparently, $50+ for a game just isn't payment enough anymore.

Update: Looks like all this attention has gotten EA to back down a little. Not fully, mind you. They now say they can still collect the data. Just not give it to marketing partners.

Answering a student question, Roberts admitted he doesn't usually read the computer jargon that is a condition of accessing websites, and gave another example of fine print: the literature that accompanies medications.... It has "the smallest type you can imagine and you unfold it like a map," he said. "It is a problem," he added, "because the legal system obviously is to blame for that." Providing too much information defeats the purpose of disclosure, since no one reads it, he said. "What the answer is," he said, "I don't know."

Well, that's comforting. Of course, I'm less interested in "the answer" to all that small type, and more interested in the answer to the question of how those things can be considered legally binding when even the Chief Justice of the Supreme Court doesn't read them...

from the fleeting-copies dept

Video game company Blizzard often appears to be a study in contrasts. At times, it seems to recognize the changing nature of the technology landscape, embracing scarcities, giving people reasons to buy and even coming out against DRM. But, at the same time, it tried to retroactively ban anonymity in its forums, and has been notoriously litigious, even going after organizations who promote its games.

However, perhaps the most troubling (and highest profile) issue involving Blizzard is its lawsuit against a guy who made a bot for doing things within World of Warcraft. While we recognize that such things can be used to "cheat," the problem was Blizzard's attempt (successful so far) to drastically stretch the meaning and intent of copyright law, to suggest that making such a bot infringes on its copyright. Beyond the basic questions of how the decision in the case was at odds with the basic concepts of the First Sale doctrine, the real problem was that nothing the bot does actually violates copyright law. The judge had to seriously twist both the letter and spirit of copyright law to come to that conclusion (and if you don't want my analysis on it, try copyright expert William Patry's, who noted):

The critical point is that WoWGilder did not contributorily or vicariously lead to violating any rights granted under the Copyright Act. Unlike speed-up kits, there was no creation of an unauthorized derivative work, nor was a copy made even under the Ninth Circuit's misinterpretation of RAM copying in the MAI v. Peak case. How one might ask can there be a violation of the Copyright Act if no rights granted under the Act have been violated? Good question.

To get to its result, the court had to first find that WoW, even though sold over the counter, was licensed not sold. In so finding, the court declined to follow the recent Vernor opinion in the Western District of Washington, believing it had to follow other Ninth Circuit precedent. I agree with the Vernor court that the other precedent (MAI, Triad, Wall Data) do not hold that over the counter software is licensed, not sold. (WoW may be purchased online too, but I don't think this changes the analysis.). Having found there was license not a sale, there still had to be a breach of the license in order to permit an infringement action to lie, and recall here that the claim is not one for direct infringement, but rather secondary liability; there was no privity between the parties. There was in fact no provision in the license that barred use of WoWGlider. The court took the extraordinary step of stitching together two unrelated provisions to create one. You have to read it to believe it, but it took the court 8 pages to go through this hard work, and why? Was the court offended by what it regarded to be cheating? If so, God help us if law is being reduced to such subjective, non-statutory grounds.

While the appeal in that case is still ongoing, it appears that Blizzard is using that precedent to go after more folks who have made tools for "cheating." The company recently banned thousands of players from Starcraft II for allegedly using such cheat codes, but reader Jay was the first of a bunch of you to point out that it's also suing three creators of cheat codes using the same dubious claims of copyright infringement.

Now, let me make it quite clear: I completely understand why Blizzard and many players of Blizzard games hate cheat codes and find them unfair and damaging to the overall gameplay. However, even if you think such cheats and hacks are the most evil thing out there, you have to admit that it's no excuse to misuse copyright law to punish the makers of those cheats, knowing that the end result could be precedent that negatively impacts all sorts of other things online. So what is Blizzard claiming specifically? Well, to make this a "copyright" issue, they're claiming that:

When users of the Hacks download, install, and use the Hacks, they copy StarCraft II copyrighted content into their computer's RAM in excess of the scope of their limited license, as set forth in the EULA and ToU, and create derivative works of StarCraft II.

Pick apart that sentence carefully. In order to make this a copyright issue, Blizzard is claiming that (1) running a cheat code violates the EULA and the ToU (the fine print no one read) and (2) once you've violated the EULA and the terms of service, you no longer have a license for the game ("excess of the scope of their limited license") and, because of that (3) when you copy aspects of the game in a fleeting manner into the computer's RAM, it violates the copyright.

Hopefully, you can see how problematic this is. Thankfully, for now, other cases (in a different circuit, I believe, so non-binding on the Blizzard cases) have found that fleeting copies in RAM are not considered infringing, and hopefully the courts here agree, and toss out this kind of tortured logic that could lead to all sorts of other ridiculous rulings. If Blizzard is allowed to make these claims, then any software/content company that offers you a long license, where you don't obey each and every claim, can say you've infringed on their copyright and owe huge statutory damages.

from the consumer-protection dept

To prove a point about how few people actually read the "terms and conditions" when making a purchase online, British game retailer GameStation decided to play an April fools joke on its customers, tricking many of them into agreeing to hand over the rights to their soul. GameStation's current terms require online purchasers of its products to agree to the following:

By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant Us a non transferable option to claim, for now and for ever more, your immortal soul. Should We wish to exercise this option, you agree to surrender your immortal soul, and any claim you may have on it, within 5 (five) working days of receiving written notification from gamesation.co.uk or one of its duly authorised minions.

The company provided a simple opt-out check-box and inferred from the number of shoppers who didn't click the box (about 88%) that very little attention is paid to such agreements. The fact that so few people read the contracts they sign is not exactly news, but the troublesome part is that these contracts are generally enforced -- although, in this case, GameStation admitted that they would not hold customers to the "immortal soul" clause. Contract law is founded on the notion that we are all free and equal individuals left to our own devices to enter into whatever transactions we wish. Moreover, many believe that any limitations on what individuals can be allowed to agree to (within certain well-accepted limits) are counter to economic wisdom. But when we face up to the fact so few people actually read these agreements, sooner or later we're likely to have to admit that some limits on what retailers can require in these agreements may make sense.

from the and-so-it-goes dept

When Psystar first started selling PCs with Apple OS's installed on them, we knew there would be a lawsuit -- though it took a bit more time than we expected. Originally, Psystar tried to claim that Apple was violating antitrust law, which seemed like a wasted path for exploration -- and, indeed, a court rejected that claim. Then Psystar went back to more reasonable defenses... or so we thought.

The court hearing the case didn't seem to think any of Psystar's main lines of defense had any validity at all and granted summary judgment to Apple on all of the major points, saying that a trial wasn't even necessary. The "fair use" claim was already weak, and the judge noted that Psystar didn't even try to discuss any of the four factors generally used in determining fair use. The two (I thought) stronger claims were that (a) the right of first sale applied, and once Psystar purchased OSX legally, it could resell it, provided it was only installed on that one computer, and (b) that Apple went too far in its EULA terms, which demanded that OS X could only work on a Mac. Unfortunately, the judge didn't agree to either one, though I find the judge's reasoning perplexing and hardly convincing.

On the issue of first sale, here's what the ruling said:

The copies at issue here were not lawfully manufactured
with the authorization of the copyright owner. As stated, Psystar made an unauthorized copy of
Mac OS X from a Mac mini that was placed onto an "imaging station" and then used a "master
copy" to make many more unauthorized copies that were installed on individual Psystar
computers. The first-sale defense does not apply to those unauthorized copies.

Perhaps I'm missing something here, because earlier reports had suggested that Psystar legally purchased each copy of OS X and then installed the legally purchased copy on the new machine (which it then included with the sold machine). But from the description above, it sounds like part of the problem is that a single "master copy" was used to make multiple installations. Of course, that raises a whole host of separate issues. If Psystar legally purchased a separate license for each one, but still used a single master copy, is that really infringing? After all, the code is identical, and it seems positively ridiculous to say that even though you bought, say, 20 licenses, you can't just use one master copy to install 20 times. It seems like this could use additional clarification. Because, the other way one could interpret this is that there is no right of first sale if the company says a copy is unauthorized -- which would have troubling implications.

On the EULA front, the court again basically just takes Apple's position, and insists it did nothing wrong. I'm not surprised by the outcome at all, but I would have expected at least a more complete response to the First Sale doctrine rights issues. Even ignoring that a "copy" was being made -- with the physical copy, it really is a matter of first sale. The company is selling something it legally purchased.

Psystar will likely appeal, though I still have little faith that will get anywhere.

from the even-if-not-visited? dept

There have been plenty of questions over the years about the enforceability of online contracts, especially of the "clickwrap" variety. However, a recent ruling apparently says that contract terms are acceptable even if hidden behind a hyperlink. Apparently, the court found that because the link to the terms is "highlighted" in a different color, it's consider conspicuous enough that a reader should have clicked on it and read it.

Now, that's interesting to me, because I'd just been reading law professor Peter Friedman's blog post for his first year Contracts law class, where he talks about how few people actually read online agreements, and how many people probably agree to things they didn't think they had agreed to:

65 out of my 66 students (law students in a contracts class!) admitted in our first class they rarely or never read the online agreements they "agree" to. The only empirical survey I am aware of regarding consumer behavior in connection with online agreements found the following 7 years ago:

50% of the respondents said that they sometimes read online agreements and 40% never read them;

Thus, only 10% of the respondents always read the online agreements that they encountered;

Well over half of the respondents (64%) always click the Accept button and most of the others (35%) some times Accept;

More than half of the respondents (55%) didn't believe that they were entering into a legally binding and enforceable contract even after clicking I Accept;

Most (79%) never ever kept a copy of any click-wrap agreement that they entered into;

The majority of respondents (90%) indicated that they never completely read shrink-wrap agreements;

38% of the total respondents came from the IT/Internet/E-commerce industries.

We've seen similar things in experiments that offered prizes within the clickwrap agreements, to see if anyone claimed them -- and it took four months and 3,000 downloads for anyone to claim the prize. In many ways, this actually reminds me of an old story about Van Halen's concert contracts with local promoters and venues, that was getting lots of attention last month, after it was featured on an episode of This American Life. Many people have heard the story of how the band had a rider in its contract demanding a bowl of M&M's backstage with all the brown ones removed. And most people who heard that story assumed it was a sign of rockstar divas with ridiculous demands. However, the true story is that it was actually in there to see if the people setting things up had actually read the details of the contract:

Van Halen was the first band to take huge productions into tertiary, third-level markets. We'd pull up with
nine eighteen-wheeler trucks, full of gear, where the standard was three trucks, max. And there were many, many technical errors -- whether it was the girders couldn't support the weight, or the flooring would sink in, or the doors weren't big enough to move the gear through.

The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment, and so many human beings to make it function. So just as a little test, in the technical aspect of the rider, it would say "Article 148: There will be fifteen amperage voltage sockets at twenty-foot spaces, evenly, providing nineteen amperes . . ." This kind of thing. And article number 126, in the middle of nowhere, was: "There will be no brown M&M's in the backstage area, upon pain of forfeiture of the show, with full compensation."

So, when I would walk backstage, if I saw a brown M&M in that bowl . . . well, line-check the entire production. Guaranteed you're going to arrive at a technical error. They didn't read the contract. Guaranteed you'd run into a problem. Sometimes it would threaten to just destroy the whole show. Something like, literally, life-threatening.

And, indeed, what the band found out is that the contract is just as enforceable whether or not you read the contract -- and that appears to be the result online too. While I have heard of a few cases of courts rejecting clickwrap agreements, it certainly sounds like more and more are considering them to be viable, legally-binding contracts.

from the security-risks-abound dept

CNN got a lot of attention on inauguration day as being the online site of choice for people to watch the streaming video of the events. However, as reader Jim Wood alerts us, many people are probably unaware that they agreed to do so by sharing their bandwidth via a P2P application. Now, first off, I actually think this is a good general use of P2P and have wondered in the past why more streaming apps don't make use of bandwidth sharing P2P in a similar manner. However, it does appear that there are many, many issues with how this was implemented. CNN told people they had to install Octoshape Grid Delivery to watch the video -- and it turns out that wasn't true. You only had to install it if you wanted to make use of the more efficient bandwidth sharing. Also, it doesn't appear that it was clearly explained to users at all what they were agreeing to. This is especially problematic at a time when more and more ISPs are using broadband caps that often include upstream traffic. Users might not realize at all that they were giving up a significant amount of their bandwidth.

Separately, the EULA for the software contains some totally ridiculous clauses, including: "You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software." Yes, if you install the software, you can no longer monitor your own traffic usage, at least according to those terms.

There are also serious concerns about potential security problems associated with the software, since the software can automatically be activated by visiting any "Octoshape-enabled" website. That seems like a zombie-scammer's dream setup: a secretive P2P network that people don't even know they have that can use up a ton of bandwidth, can't be sniffed (legally) and uses an unexpected port.

Again, there are definite useful ways to make use of P2P to spread out the bandwidth, but it needs to be done in a much more transparent, reasonable and safe manner. Unfortunately, this implementation doesn't seem to have done that -- and millions of trusting CNN users may now run into problems because of that.

from the and-we-can-do-what-we-want-with-it dept

Psystar tried and failed to pin an antitrust case on Apple in its fight over whether or not Psystar can install MacOS on non-Apple hardware. Now, it appears that the company is back to where we thought it would originally focus: on whether or not a software license agreement can preclude the first sale doctrine that allows you to resell software you legally purchased. It's still a long shot -- but a few recent rulings suggest the courts are at least more open to these discussions. Of course, if Psystar wins, it could severely limit the power of end user license agreements (EULAs) that software companies often use to limit uses of software.